RE: Amendment Questions
Matt -- Thanks for the update. I have a couple of suggestions. First, I hope you understand that I participate in this list because, as an attorney, I represent covered entities and business associates. As an attorney and a business associate, I emphasize with the struggles that covered entities and BAs face in implementing this complicated rule. I suggest that covered entities in implementing the access and amendment rights look for flexibility and reasonableness in the designated record set definition. An individual has the right to request access to and amend PHI maintained in designated record sets. The covered entity defines its own designated record sets based on the Privacy Rule's defintion and then documents its designation in its Ps and Ps. At a bare minimum, the designated record set concept structures the scope of the access and amendment rights. According to the Privacy Rule, designated record sets are paper or electronic files that the covered entity uses, in whole or in part, to make decisions about the individual. The Rule provides specific examples of designated record sets. The Preamble notes that quality assurance and peer review records typically are not designated records sets although they include PHI. The Preamble further states that "information may be retrieved or retrievable by name, but if it is never used to make decisions about any individuals, the burdens of requiring a covered entity to find it and to redact information about other individuals outweigh any benefits to the individual of having access to the information." In the context of the access and amendment rights, I think that HHS has expressed the reasonableness concept that you have espoused in the designated record set concept. Finally, I suggest that if a covered entity takes advantage of the BA transition rule, it should send each "transitional" BA a letter before April 14 explaining the situation and identifying the transitional responsibilities that HHS described on page 39 of the 12/4/02 OCR guidance. That guidance includes excellent information on the BA requirement and the transition provision. Thanks again for the dialogue. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 03/02/03 23:24 PM >>> Dave, It was an interesting day in Brooklyn yesterday at the HIPAA conference. And three HHS or OCR attorneys did respond to some questions concerning access, amendment, and accountings. Clearly a CE MAY make the amendment if they are able. And the attorneys were mindful that, for many of us (in the audience yesterday) who are struggling to implement a cost-effective process, there is more to this issue than simply allowing access to the PHI: the ability to find and link together the various places were the PHI resides in order to amend all of it no matter where it resides will be very onerous, especially for PHI created prior to the compliance date. It will be very helpful when to see a clearly written statement from HHS. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Saturday, March 01, 2003 12:15 AM To: 'David Ermer'; '[EMAIL PROTECTED]' Subject: RE: Amendment Questions Dave, I must respectfully disagree with your application of the Q&A that you cited (below). Clearly that Q&A was intended to convey HHS' intent that on and after the compliance date the Privacy Rule will protect all PHI that a CE creates or maintains about an individual, regardless of when that PHI was created. No one would disagree with that intent. However, the Privacy Rule is imbued with "reasonableness" that provides us with guidance against imple
RE: Amendment Questions
Dave, It was an interesting day in Brooklyn yesterday at the HIPAA conference. And three HHS or OCR attorneys did respond to some questions concerning access, amendment, and accountings. Clearly a CE MAY make the amendment if they are able. And the attorneys were mindful that, for many of us (in the audience yesterday) who are struggling to implement a cost-effective process, there is more to this issue than simply allowing access to the PHI: the ability to find and link together the various places were the PHI resides in order to amend all of it no matter where it resides will be very onerous, especially for PHI created prior to the compliance date. It will be very helpful when to see a clearly written statement from HHS. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Matthew Rosenblum [mailto:[EMAIL PROTECTED] Sent: Saturday, March 01, 2003 12:15 AM To: 'David Ermer'; '[EMAIL PROTECTED]' Subject: RE: Amendment Questions Dave, I must respectfully disagree with your application of the Q&A that you cited (below). Clearly that Q&A was intended to convey HHS' intent that on and after the compliance date the Privacy Rule will protect all PHI that a CE creates or maintains about an individual, regardless of when that PHI was created. No one would disagree with that intent. However, the Privacy Rule is imbued with "reasonableness" that provides us with guidance against implementing onerous processes that would be untenable and too costly. (This concept has been greatly advanced and supported by the recently published Security Rules.) Consequently, and in a number of instances, the Privacy Rule reflects this notion by NOT mandating that CE's implement certain retrieval processes with regard to PHI created prior to the compliance date, for example "accountings of disclosure". Further, the "transition" rule is relevant to this notion, because the CE is in some instances NOT obligated to execute the BAC until one year after the compliance date, and until that is done, what would be the BA's legal obligation to assist in the amendment of the PHI unless specified in a contract? Please advise. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 10:26 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Amendment Questions Matt -- Here is an interesting excerpt from the 12/28/00 HHS Preamble which clearly supports my position: "Comment: Several comments raised questions about the application of the rule to individually identifiable information created prior to (1) the effective date of the rule, and (2) the compliance dates of the rule. One commenter suggested that the rule should apply only to information gathered after the effective date of the final rule. Response: We disagree with
RE: Amendment Questions
Rachel, No one here is saying otherwise. It is clear that the Privacy rule applies to all PHI maintained by the Covered Entity. And it is also clear that a CE must only provide an accounting for PHI disclosed AFTER the compliance date for those disclosures specified by HIPAA. However, apparently there is some confusion about whether or not a CE is responsible for acquiescing to all requests to amend PHI created prior to the compliance date. Clearly a CE MAY make the amendment if they are able. But, for those of us who are struggling to implement a cost-effective process, there is more to this issue than simply allowing access to the PHI: the ability to find and link together the various places were the PHI resides in order to amend all of it no matter where it resides will be very onerous, especially for PHI created prior to the compliance date. And in this light, it is very interesting to me that the HHS attorney that I heard (speak) yesterday in Brooklyn was much less emphatic when considering these issues than was the attorney in Chicago that you heard (speak). And it is for this reason that I would like to see a clearly written statement from HHS. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Rachel Foerster [mailto:[EMAIL PROTECTED] Sent: Sunday, March 02, 2003 7:14 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Amendment Questions And just to reinforce Dave's comments at today's CMS/OCR Privacy meeting in Chicago an OCR attorney explicitly stated that health information held by a covered entity that was created or received prior to 4/14/03 IS subject to all of the privacy rule's requirements on and AFTER 4/14/03. In other words, the CE must account for all disclosures of health information that occur after 4/14/03 to health information it had in its possession prior to 4/14/03, and likewise, health information in its possession prior to 4/14/03 is subject to a request for an amendment by the individual on and after 4/14/03 as well as the individual having the right of access to that health information. The same OCR attorney also cautioned the audience that if the CE modified its NPP subsequent to its original NPP that must be provided on and after 4/14/03 it should take care to ensure that there is language in the modified NPP to indicate that the NPP applies not only to health information created or received after the new NPP but also to ALL health held by the CE prior to the newly modified NPP. Rachel Foerster Rachel Foerster & Associates, Ltd. Voice: 847-872-8070 email: [EMAIL PROTECTED] http://www.rfa-edi.com # This transmission may be confidential or protected from disclosure and is only for review and use by the intended recipient. Access by anyone else is unauthorized. Any unauthorized reader is hereby notified that any review, use, dissemination, disclosure or copying of this information, or any act or omission taken in reliance on it, is prohibited and may be unlawful. If you received this transmission in error, please notify the sender immediately. Thank you. -Original Message- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Sunday, March 02, 2003 1:18 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Amendment Questions Matt -- The Q&A demonstrates that HHS intends that the Privacy Rule generally apply to all PHI that the CE maintains as of 4/14/03. If HHS had intended to exempt from the access and amendment rights PHI created before 4/14/03 it would have said so in the § 164.524 and § 164.526 of the Rule. The Privacy Rule is a law. Administrative rules are interpreted in accordance with the standards of statutory construction. The U.S. Supreme Court has ruled that "When Congress [or another law maker -- here HHS] includes particular language in one section of a statute [here the pre-4/14/03 disclosure e
RE: Amendment Questions
And just to reinforce Dave's comments at today's CMS/OCR Privacy meeting in Chicago an OCR attorney explicitly stated that health information held by a covered entity that was created or received prior to 4/14/03 IS subject to all of the privacy rule's requirements on and AFTER 4/14/03. In other words, the CE must account for all disclosures of health information that occur after 4/14/03 to health information it had in its possession prior to 4/14/03, and likewise, health information in its possession prior to 4/14/03 is subject to a request for an amendment by the individual on and after 4/14/03 as well as the individual having the right of access to that health information. The same OCR attorney also cautioned the audience that if the CE modified its NPP subsequent to its original NPP that must be provided on and after 4/14/03 it should take care to ensure that there is language in the modified NPP to indicate that the NPP applies not only to health information created or received after the new NPP but also to ALL health held by the CE prior to the newly modified NPP. Rachel Foerster Rachel Foerster & Associates, Ltd. Voice: 847-872-8070 email: [EMAIL PROTECTED] http://www.rfa-edi.com # This transmission may be confidential or protected from disclosure and is only for review and use by the intended recipient. Access by anyone else is unauthorized. Any unauthorized reader is hereby notified that any review, use, dissemination, disclosure or copying of this information, or any act or omission taken in reliance on it, is prohibited and may be unlawful. If you received this transmission in error, please notify the sender immediately. Thank you. -Original Message- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Sunday, March 02, 2003 1:18 PM To: WEDI SNIP Privacy Workgroup List Subject: RE: Amendment Questions Matt -- The Q&A demonstrates that HHS intends that the Privacy Rule generally apply to all PHI that the CE maintains as of 4/14/03. If HHS had intended to exempt from the access and amendment rights PHI created before 4/14/03 it would have said so in the § 164.524 and § 164.526 of the Rule. The Privacy Rule is a law. Administrative rules are interpreted in accordance with the standards of statutory construction. The U.S. Supreme Court has ruled that "When Congress [or another law maker -- here HHS] includes particular language in one section of a statute [here the pre-4/14/03 disclosure exception from the accounting for disclosures section"] but omits it from another section of the same Act [or other law -- here §§ 164.524 and 164.526], it is generally presumed that Congress [or the pertinent law maker] acts intentionally and purposefully in the disparate inclusion or exclusion." Bates v. United States, 522 U.S. 23, 29-30 (1997). In my opinion, a CE cannot just create additional exceptions to the amendment right because they might make sense. I personally don't think that access and amendment rights are particularly onerous to implement as there are a number of fairly broad, express exceptions to the amendment right. The amendment right, by the way, was the subject of a Seinfeld episode in which Kramer unsuccessfully tried to get Elaine's medical records from her doctor who had noted that Elaine was a troublemaker. As for the BA transition rule, if after 4/14/03 a CE receives an amendment request, and the CE believes that the amendment request should be granted, it must pass that information to the business associate. If the contract provisions are not in place, I imagine that a BA could refuse to process the amendment. I don't know why a BA would refuse to do so, but in that case, the CE should hold onto the amendment request, and once the BA contract provisions are in place, then it should require the BA to process the amendment in accordance with the contract and the Privacy Rule. I agree with you that there are a lot of ambiguities in this complex Rule, but I don't think that the amendment question falls into this category. Remember under the law, you don't get into a reasonableness analysis when the language of the regulation is unambiguous. I do appreciate all the prompt advice that you give CE's on this list serv and this exchange in particular. if HHS provides more guidance, let us know. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> [EMAIL PROTECTED] 03/01/03 12:15AM >>> Dave, I must respectfully disagree with your application of the Q&A that you cited (below). Clearly that Q&A was intended to convey HHS' intent that on and after the compliance date the Privacy Rule will protect all PHI that a CE creates or maintains about an individual, regardless of when t
RE: Amendment Questions
mostrada y elimine el mensaje original. Gracias. -Original Message- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 10:26 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Amendment Questions Matt -- Here is an interesting excerpt from the 12/28/00 HHS Preamble which clearly supports my position: "Comment: Several comments raised questions about the application of the rule to individually identifiable information created prior to (1) the effective date of the rule, and (2) the compliance dates of the rule. One commenter suggested that the rule should apply only to information gathered after the effective date of the final rule. Response: We disagree with the commenter's suggestion. The requirements of this regulation apply to all protected health information held by a covered entity, regardless of when or how the covered entity obtained the information. Congress required us to adopted privacy standards that apply to individually identifiable health information. While it limited the compliance date for health plans, covered health care providers, and healthcare clearinghouses, it did not provide similar limiting language with regard to individually identifiable health information. Therefore, uses and disclosures of protected health information made by a covered entity after the compliance date of this regulation must meet the requirements of these rules. Uses or disclosures of individually identifiable health information made prior to the compliance date are not affected; covered entities will not be sanctioned under this rule based on past uses or disclosures that are inconsistent with this regulation." I agree with you that CE's should clarify gray areas in their NPPs. I do not find this amendment question to be a gray area, however. I find the BA transition provision irrelevant to the resolution of this issue. Please refer to the following excerpted BA guidance from the 12/4/02 OCR guidance: "Q: What are a covered entity's obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period? A: During the contract transition period, covered entities must observe the following responsibilities with respect to protected health information held by their business associates: * * * Fulfill an individual's rights to access and amend his or her protected health information contained in a designated record set, including information held by a business associate, if appropriate, and receive an accounting of disclosures by a business associate." I would be interested in any further clarification that HHS may provide, but written guidance already is out there. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 02/28/03 21:03 PM >>> David, In many instances the CE's DSR is maintained by a BA, and those CE-BA relationships are subject to the "transition" requirements and the timing of the execution of the BAC. Given this, and the explicit exemption given for "accountings" for PHI created prior to the "compliance date", I would say that HHS's intention would be to allow the CE to start with the "compliance date" and go forward from that day. But I agree with you that this may be a "gray" area, and that is why I suggested to Pat that the NPP would let the individual (patient) know what the CE may be "allowed" to do. I would certainly like to hear from the folks at HHS and OCR about this one. I'll be at the HIPAA conference in Brooklyn tomorrow, and if I have an opportunity to ask, I will. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje or
RE: Amendment Questions
Dave, I must respectfully disagree with your application of the Q&A that you cited (below). Clearly that Q&A was intended to convey HHS' intent that on and after the compliance date the Privacy Rule will protect all PHI that a CE creates or maintains about an individual, regardless of when that PHI was created. No one would disagree with that intent. However, the Privacy Rule is imbued with "reasonableness" that provides us with guidance against implementing onerous processes that would be untenable and too costly. (This concept has been greatly advanced and supported by the recently published Security Rules.) Consequently, and in a number of instances, the Privacy Rule reflects this notion by NOT mandating that CE's implement certain retrieval processes with regard to PHI created prior to the compliance date, for example "accountings of disclosure". Further, the "transition" rule is relevant to this notion, because the CE is in some instances NOT obligated to execute the BAC until one year after the compliance date, and until that is done, what would be the BA's legal obligation to assist in the amendment of the PHI unless specified in a contract? Please advise. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 10:26 PM To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: Amendment Questions Matt -- Here is an interesting excerpt from the 12/28/00 HHS Preamble which clearly supports my position: "Comment: Several comments raised questions about the application of the rule to individually identifiable information created prior to (1) the effective date of the rule, and (2) the compliance dates of the rule. One commenter suggested that the rule should apply only to information gathered after the effective date of the final rule. Response: We disagree with the commenter's suggestion. The requirements of this regulation apply to all protected health information held by a covered entity, regardless of when or how the covered entity obtained the information. Congress required us to adopted privacy standards that apply to individually identifiable health information. While it limited the compliance date for health plans, covered health care providers, and healthcare clearinghouses, it did not provide similar limiting language with regard to individually identifiable health information. Therefore, uses and disclosures of protected health information made by a covered entity after the compliance date of this regulation must meet the requirements of these rules. Uses or disclosures of individually identifiable health information made prior to the compliance date are not affected; covered entities will not be sanctioned under this rule based on past uses or disclosures that are inconsistent with this regulation." I agree with you that CE's should clarify gray areas in their NPPs. I do not find this amendment question to be a gray area, however. I find the BA transition provision irrelevant to the resolution of this issue. Please refer to the following excerpted BA guidance from the 12/4/02 OCR guidance: "Q: What are a covered entity's obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period? A: During the contract transition period, covered entities must observe the following responsibilities with respect to protected health information held by their business associates: * * * Fulfill an individual's rights to access and amend his or her protected health information contained in a designated record set, including information held by a business associate, if appropriate, and receive an accounting of disclosures by a business associate." I would be interested in any further clarification that HHS may pro
RE: Amendment Questions
Matt -- Here is an interesting excerpt from the 12/28/00 HHS Preamble which clearly supports my position: "Comment: Several comments raised questions about the application of the rule to individually identifiable information created prior to (1) the effective date of the rule, and (2) the compliance dates of the rule. One commenter suggested that the rule should apply only to information gathered after the effective date of the final rule. Response: We disagree with the commenter's suggestion. The requirements of this regulation apply to all protected health information held by a covered entity, regardless of when or how the covered entity obtained the information. Congress required us to adopted privacy standards that apply to individually identifiable health information. While it limited the compliance date for health plans, covered health care providers, and healthcare clearinghouses, it did not provide similar limiting language with regard to individually identifiable health information. Therefore, uses and disclosures of protected health information made by a covered entity after the compliance date of this regulation must meet the requirements of these rules. Uses or disclosures of individually identifiable health information made prior to the compliance date are not affected; covered entities will not be sanctioned under this rule based on past uses or disclosures that are inconsistent with this regulation." I agree with you that CE's should clarify gray areas in their NPPs. I do not find this amendment question to be a gray area, however. I find the BA transition provision irrelevant to the resolution of this issue. Please refer to the following excerpted BA guidance from the 12/4/02 OCR guidance: "Q: What are a covered entity's obligations under the HIPAA Privacy Rule with respect to protected health information held by a business associate during the contract transition period? A: During the contract transition period, covered entities must observe the following responsibilities with respect to protected health information held by their business associates: * * * Fulfill an individual's rights to access and amend his or her protected health information contained in a designated record set, including information held by a business associate, if appropriate, and receive an accounting of disclosures by a business associate." I would be interested in any further clarification that HHS may provide, but written guidance already is out there. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 02/28/03 21:03 PM >>> David, In many instances the CE's DSR is maintained by a BA, and those CE-BA relationships are subject to the "transition" requirements and the timing of the execution of the BAC. Given this, and the explicit exemption given for "accountings" for PHI created prior to the "compliance date", I would say that HHS's intention would be to allow the CE to start with the "compliance date" and go forward from that day. But I agree with you that this may be a "gray" area, and that is why I suggested to Pat that the NPP would let the individual (patient) know what the CE may be "allowed" to do. I would certainly like to hear from the folks at HHS and OCR about this one. I'll be at the HIPAA conference in Brooklyn tomorrow, and if I have an opportunity to ask, I will. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -----Original Message- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 10:20 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: Amendment Questions Matt -- I respectfully quest
RE: Amendment Questions
David, In many instances the CE's DSR is maintained by a BA, and those CE-BA relationships are subject to the "transition" requirements and the timing of the execution of the BAC. Given this, and the explicit exemption given for "accountings" for PHI created prior to the "compliance date", I would say that HHS's intention would be to allow the CE to start with the "compliance date" and go forward from that day. But I agree with you that this may be a "gray" area, and that is why I suggested to Pat that the NPP would let the individual (patient) know what the CE may be "allowed" to do. I would certainly like to hear from the folks at HHS and OCR about this one. I'll be at the HIPAA conference in Brooklyn tomorrow, and if I have an opportunity to ask, I will. I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: David Ermer [mailto:[EMAIL PROTECTED] Sent: Friday, February 28, 2003 10:20 AM To: WEDI SNIP Privacy Workgroup List Subject: RE: Amendment Questions Matt -- I respectfully question your response. The Privacy Rule, 45 CFR § 164.526(a), states that individuals have the right to request an amendment as long as the CE holds the PHI in a designated record set. Neither § 164.526 or § 164.524 (the access right) create an exception for PHI created or received before 4/14/03. If such an exception were implicit in the Privacy Rule then there would have been no need for the express exception found in § 164.528 for otherwise accountable disclosures occurring before 4/14/03. Obviously, the right to request an amendment is prospective. A CE is not obligated to search its files for amendment requests that it may have received and denied before April 14. But in my opinion, beginning April 14, an individual is entitled to request PHI access or amendment with respect to PHI created before that date found in the CE's designated records sets. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 02/27/03 08:22PM >>> Patricia, 1) It depends what you say in your NPP, but HIPAA does not mandate that a CE include past information (i.e., PHI created prior to the compliance date) 2) HIPAA does NOT require a "written" request from the individual I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Patricia Conroe [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 2:31 PM To: WEDI SNIP Privacy Workgroup List Subject: Amendment Questions I have two questions regarding amendment of the medical/billing record. 1. Do we have to amend info kept prior to the deadline? (The disclosure log specif
RE: Amendment Questions
Matt -- I respectfully question your response. The Privacy Rule, 45 CFR § 164.526(a), states that individuals have the right to request an amendment as long as the CE holds the PHI in a designated record set. Neither § 164.526 or § 164.524 (the access right) create an exception for PHI created or received before 4/14/03. If such an exception were implicit in the Privacy Rule then there would have been no need for the express exception found in § 164.528 for otherwise accountable disclosures occurring before 4/14/03. Obviously, the right to request an amendment is prospective. A CE is not obligated to search its files for amendment requests that it may have received and denied before April 14. But in my opinion, beginning April 14, an individual is entitled to request PHI access or amendment with respect to PHI created before that date found in the CE's designated records sets. Best regards, Dave Ermer Gordon & Barnett Attorneys at Law 1133 21st St., NW, Suite 450 Washington, DC 20036 202-833-3400 ext 3009 (voice) 202-223-0120 (fax) www.gordon-barnett.com >>> "Matthew Rosenblum" <[EMAIL PROTECTED]> 02/27/03 08:22PM >>> Patricia, 1) It depends what you say in your NPP, but HIPAA does not mandate that a CE include past information (i.e., PHI created prior to the compliance date) 2) HIPAA does NOT require a "written" request from the individual I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Patricia Conroe [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 2:31 PM To: WEDI SNIP Privacy Workgroup List Subject: Amendment Questions I have two questions regarding amendment of the medical/billing record. 1. Do we have to amend info kept prior to the deadline? (The disclosure log specifically says you do not, but nothing on the amendment. What about all those places that have info on microfilm?) and 2. When a patient calls regarding charges on their bill and after investigation it's discovered that those charges are in fact wrong and shouldn't be there. Do you go through the whole amendment process (we have 3 different forms right now for amending info) or is this something we can just go ahead and do? Thanks for your help! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [
RE: Amendment Questions
Patricia, 1) It depends what you say in your NPP, but HIPAA does not mandate that a CE include past information (i.e., PHI created prior to the compliance date) 2) HIPAA does NOT require a "written" request from the individual I hope that this helps. Your questions are always welcome. Matt Matthew Rosenblum Chief Operations Officer Privacy, Quality Management & Regulatory Affairs http://www.CPIdirections.com CPI Directions, Inc. 10 West 15th Street, Suite 1922 New York, NY 10011 (212) 675-6367 [EMAIL PROTECTED] CONFIDENTIALITY NOTICE: This E-Mail is intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you have received this communication in error, please do not distribute it. Please notify the sender by E-Mail at the address shown and delete the original message. Thank you. AVISO DEL CONFIDENCIALIDAD: Este email es solamente para el uso del individuo o la entidad a la cual se dirige y puede contener información privilegiada, confidencial y exenta de acceso bajo la ley aplicable. Si usted ha recibido esta comunicación por error, por favor no lo distribuya. Favor notificar al remitente del E-Mail a la dirección mostrada y elimine el mensaje original. Gracias. -Original Message- From: Patricia Conroe [mailto:[EMAIL PROTECTED] Sent: Thursday, February 27, 2003 2:31 PM To: WEDI SNIP Privacy Workgroup List Subject: Amendment Questions I have two questions regarding amendment of the medical/billing record. 1. Do we have to amend info kept prior to the deadline? (The disclosure log specifically says you do not, but nothing on the amendment. What about all those places that have info on microfilm?) and 2. When a patient calls regarding charges on their bill and after investigation it's discovered that those charges are in fact wrong and shouldn't be there. Do you go through the whole amendment process (we have 3 different forms right now for amending info) or is this something we can just go ahead and do? Thanks for your help! --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org --- The WEDI SNIP listserv to which you are subscribed is not moderated. The discussions on this listserv therefore represent the views of the individual participants, and do not necessarily represent the views of the WEDI Board of Directors nor WEDI SNIP. If you wish to receive an official opinion, post your question to the WEDI SNIP Issues Database at http://snip.wedi.org/tracking/. These listservs should not be used for commercial marketing purposes or discussion of specific vendor products and services. They also are not intended to be used as a forum for personal disagreements or unprofessional communication at any time. You are currently subscribed to wedi-privacy as: [EMAIL PROTECTED] To unsubscribe from this list, go to the Subscribe/Unsubscribe form at http://subscribe.wedi.org or send a blank email to [EMAIL PROTECTED] If you need to unsubscribe but your current email address is not the same as the address subscribed to the list, please use the Subscribe/Unsubscribe form at http://subscribe.wedi.org